CVE-2026-56317

UNKNOWN 0.0

Nuxt - Cross-Site Scripting via NoScript Component Slot Content

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Nuxt before 4.4.7 (and the 3.x branch before 3.21.7) contains a cross-site scripting vulnerability in the NoScript component that writes slot content to innerHTML without escaping. Attackers can inject malicious scripts through untrusted data in NoScript slots, such as route.query parameters, which execute in the document context when the noscript tag is implicitly closed by script tags.

CWE	CWE-79
Vendor	nuxt
Product	nuxt
Published	Jun 20, 2026

Stay Ahead of the Next One

Get instant alerts for nuxt nuxt

Be the first to know when new unknown vulnerabilities affecting nuxt nuxt are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Nuxt / Nuxt

4.0.0 < 4.4.7

Nuxt / Nuxt

0 < 3.21.7

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/nuxt/nuxt/security/advisories/GHSA-m3q2-p4fw-w38m github.com: https://github.com/nuxt/nuxt/commit/4b054e9d95f8daf366cb144b52782047c511a66e github.com: https://github.com/nuxt/nuxt/commit/7fea9fd687f1dacbfb63db5fae5839896b017a0e vulncheck.com: https://www.vulncheck.com/advisories/nuxt-cross-site-scripting-via-noscript-component-slot-content

Credits

🔍 alcls01111